On Tue, Oct 19, 2010 at 10:03 AM, Mike Sievers <[email protected]> wrote: > hi dan (and lis) > yes, the agent conf was copied and I restartet all > > but there is something different now: > > (agent.conf) > > <agent_config name='n001'> > <syscheck> > <ignore>/etc/ppp/chap-secrets</ignore> <<<<<<< file is not ignored > <directories check_all="yes">/lib</directories> <<<<<< this works > </syscheck> > </agent_config> > > maybe the syntax is simply wrong? > > Mike >
It looks right to me. You could try the following: <ignore type="sregex">^/etc/ppp/chap-secrets</ignore> But I don't think that will add anything. Which version of OSSEC are you using? > 2010/10/19 dan (ddp) <[email protected]> >> >> On Tue, Oct 19, 2010 at 9:38 AM, Mike Sievers >> <[email protected]> wrote: >> > Hi list >> > >> > I am using ossec with agents. But the don't use the: >> > /var/ossec/etc/shared/agent.conf file >> > >> > I really have no idea and no error log. >> > What can be happend? >> > What tests are possible? >> > agent_controls says: >> > >> > ID: 005, Name: n001, IP: 192.168.40.2, Active >> > >> > Best, >> > Mike >> > >> >> Is the agent.conf being copied to the agents? Did you restart the >> ossec processes on the agents? >> Double check your agent.conf for any typos, that's bitten me in the past. > >
